Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1678
Views
0
Helpful
4
Replies

Cisco S170 - LDAPS failed with SSL3_GET_KEY_EXCHANGE

Go to solution
ViscOtter
Level 1
Level 1

‎01-21-2020 10:10 AM

Currently working on updating our ironport to use LDAPS on port 3269. Currently it's just using regular LDAP on port 389. We have 2 LDAPS servers and the first succeeds when using the Start Test button but getting an error for the 2nd server. Any advice? Below is the error:

 

 

Checking connectivity of LDAP Server(s)...
Success: Server 'IP.OF.SERVER.1' responding to queries on port 3269.
Failure: Queries to server 'IP.OF.SERVER.2' on port 3269 failed :
Inquiry timed out: SSL Error: (336122170, 'error:1408D13A:SSL routines:SSL3_GET_KEY_EXCHANGE:unable to find ecdh parameters')

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
shgrover
Cisco Employee
Cisco Employee
In response to ViscOtter

‎01-24-2020 10:09 AM

Hello ViscOtter,

 

Check the following:-

CLI> sslconfig

Disabling SSLv3 is recommended for best security.

Note that the SSL/TLS service on remote servers may require that the selected TLS versions be sequential. So to avoid communications errors, always select a contiguous set of versions for
each service. For example, do not enable TLS 1.0 and 1.2, while leaving TLS 1.1 disabled.

Choose the operation you want to perform:
- VERSIONS - Enable or disable SSL/TLS versions
- COMPRESS - Enable or disable TLS compression for Proxy Service
- CIPHERS - Set ciphers for services in WSA
- FALLBACK - Enable or disable SSL/TLS fallback option
- ECDHE - Enable or disable ECDHE Authentication.
[]> ecdhe

ECDHE cipher status is currently enabled in LDAP. Do you want to disable it? [N]> 

 

You need to disable the above.

 

If this doesn't resolve, take a pcap and compare the working an non working scenarios, check cipher suites in client hello. check if the cipher suites are different.

 

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question

 

 

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
shgrover
Cisco Employee
Cisco Employee

‎01-24-2020 06:05 AM

Hello  ViscOtter,

 

You seem to be hitting a bug. Though it doesn't mention the newer versions, please try to disable the ECDH ciphers on the WSA and the LDAP server and try again.

 

you can match the ciphers on the LDAPS cipher( that is working fine )

 

bug link: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus45109

 

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question

0 Helpful

Go to solution
ViscOtter
Level 1
Level 1
In response to shgrover

‎01-24-2020 06:18 AM

We're on:  10.1.4-017

 

How can I disable ECDH ciphers on the WSA for LDAPS? Under System Administration > SSL Configuration, I only see ciphers to use for Proxy Services. The only options for LDAPS is TLS 1.0 and SSL 3.0

 

Also, our LDAPS servers are 2012R2 and 2016. This bug is happening on the 2016 server.

0 Helpful

Go to solution
shgrover
Cisco Employee
Cisco Employee
In response to ViscOtter

‎01-24-2020 10:09 AM

Hello ViscOtter,

 

Check the following:-

CLI> sslconfig

Disabling SSLv3 is recommended for best security.

Note that the SSL/TLS service on remote servers may require that the selected TLS versions be sequential. So to avoid communications errors, always select a contiguous set of versions for
each service. For example, do not enable TLS 1.0 and 1.2, while leaving TLS 1.1 disabled.

Choose the operation you want to perform:
- VERSIONS - Enable or disable SSL/TLS versions
- COMPRESS - Enable or disable TLS compression for Proxy Service
- CIPHERS - Set ciphers for services in WSA
- FALLBACK - Enable or disable SSL/TLS fallback option
- ECDHE - Enable or disable ECDHE Authentication.
[]> ecdhe

ECDHE cipher status is currently enabled in LDAP. Do you want to disable it? [N]> 

 

You need to disable the above.

 

If this doesn't resolve, take a pcap and compare the working an non working scenarios, check cipher suites in client hello. check if the cipher suites are different.

 

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question

 

 

 

0 Helpful

Go to solution
ViscOtter
Level 1
Level 1
In response to shgrover

‎01-27-2020 04:22 AM - edited ‎01-27-2020 04:51 AM

I did the below and double checked it said "ECDHE cipher status is disabled in LDAP":


Choose the operation you want to perform:
- VERSIONS - Enable or disable SSL/TLS versions
- COMPRESS - Enable or disable TLS compression for Proxy Service
- CIPHERS - Set ciphers for services in WSA
- FALLBACK - Enable or disable SSL/TLS fallback option
- ECDHE - Enable or disable ECDHE Authentication.
[]> ecdhe

ECDHE cipher status is enabled in LDAP

Please select an option to change ECDHE cipher status:
- 1 - Toggle ECDHE cipher status in LDAP
[]> 1

 

I also checked the client hello and both servers give the below whether I change the above setting or not:

TLSCipherSuite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA { 0xC0,0x14 }

 

 

The only thing I didn't try was rebooting the WSA after I made that change because I would need to wait til after hours.

 

 

EDIT: Nevermind, your solution worked. I forgot one important step.. commit in cli.. oops. Thanks for all the help!

 

0 Helpful
Customers Also Viewed These Support Documents